Bug 52162 - ssl_engine_kernel.c "revoked client certificate" log needs debug level: hardly ok for production use
Summary: ssl_engine_kernel.c "revoked client certificate" log needs debug level: hardl...
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_ssl (show other bugs)
Version: 2.2.21
Hardware: PC Linux
: P2 normal (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
Keywords: FixedInTrunk, PatchAvailable
Depends on:
Reported: 2011-11-09 15:29 UTC by ekp
Modified: 2013-03-03 16:42 UTC (History)
0 users

Patch to change "if (s->loglevel >= APLOG_DEBUG)" to APLOG_INFO (526 bytes, patch)
2011-11-09 15:29 UTC, ekp
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description ekp 2011-11-09 15:29:04 UTC
Created attachment 27913 [details]
Patch to change "if (s->loglevel >= APLOG_DEBUG)" to APLOG_INFO

In order to log attempts to connect with a revoked client certificate, Apache needs to be configured at debug log level. This seems hardly ok for deployment on production servers.

Source code shows that:
- the log is emited with APLOG_INFO, which is ok;
- but this is protected by "if (s->loglevel >= APLOG_DEBUG)"...

In ./modules/ssl/ssl_engine_kernel.c @ 1590:

               if (s->loglevel >= APLOG_DEBUG) {
                    char *cp = X509_NAME_oneline(issuer, NULL, 0);
                    long serial = ASN1_INTEGER_get(sn);

                    ap_log_error(APLOG_MARK, APLOG_INFO, 0, s,
                                 "Certificate with serial %ld (0x%lX) "
                                 "revoked per CRL from issuer %s",
                                 serial, serial, cp);

Patch attached.
Comment 1 Rainer Jung 2013-02-15 15:55:17 UTC
Applied in r1165056 to trunk/2.4.x and in r1446637 to 2.2.x.
Will be contained in 2.2.24.
Comment 2 Stefan Fritsch 2013-03-03 16:42:50 UTC
2.2.24 is released